Share this story

Last May, researchers published a bombshell report documenting sophisticated malware attributed to the Russian government. The malware, dubbed "LoJax," creates a persistent backdoor that survives operating system reinstalls and hard drive replacements. On Wednesday, researchers published new findings that indicate the campaign remains active.

Further Reading

LoJax in May became the first known case of a real-world attack harnessing the power of the Unified Extensible Firmware Interface boot system found in virtually all modern Windows computers. As software that bridges a PC’s firmware and its operating system, UEFI is essentially a lightweight operating system in its own right. That makes it a handy place to hide rootkits because once there a rootkit will remain in place even after an OS is reinstalled or a hard drive is replaced.

LoJack repurposed

LoJax gets its name from LoJack, an anti-theft product from developer Absolute Software. The rootkit is a modified version of a 2008 release of LoJack (then called Computrace). The anti-theft software achieved persistence by burrowing into the UEFI of the computer it was protecting. The design ensured that even if a thief made major changes to a computer’s hardware or software, a LoJack “small agent” would remain intact and be able to contact Absolute Software servers.

LoJax repurposes the LoJack software and exploits a key shortcoming—the lack of any means for the Absolute Software server to authenticate itself to the software. LoJax uses most of the working functionality of the legitimate anti-theft tool—a feature that long made it hard for antivirus software to detect the malware. The trojan makes modifications that cause it to connect to servers believed to be operated by Fancy Bear, a hacking group that works under the direction of the Russian government.

Now Netscout is back with new research that analyzes new samples. They reveal some never-before-seen control server domains, at least two of which remain active now. The discovery also indicates that Fancy Bear’s LoJax started in late 2016.

“Continued diligence in tracking activity related to LoJax proved that the actors still maintain live C2 [command and control] servers and may have additional ongoing operations outside the in the wild use reported by ESET activity in September 2018, about 5 months after public reporting of LoJax,” Netscout researchers wrote. “Even with all of the publicity around Lojax, Fancy Bear operations have kept some of the originally identified C2 servers alive.”

The IP addresses that turned up in the analysis include:

185.86.151[.]2

169.239.128[.]133

185.181.102[.]201

46.21.147[.]76

169.239.129[.]121

46.21.147[.]71

86.106.131[.]54

The first two remain active now. The same IP addresses appeared in research published in October by the UK’s National Cyber Security Center. Based on passive DNS searches of many of the IPs from that report, Netscout researchers believe they uncovered additional LoJax control server-to-domain mappings:

Netscout Researched Domain Mapping

UK NCSC IP

UNKNOWN

185.86.148[.]184

moldstream[.]md

185.181.102[.]201

visualrates[.]com

169.239.129[.]121

regvirt[.]com

46.21.147[.]71

ntpstatistics[.]com

169.239.128[.]133

oiatribe[.]com

162.208.10[.]66

msfontserver[.]com

179.43.158[.]20

treckanalytics[.]com

94.177.12[.]150

unigymboom[.]com

185.86.151[.]2

sysanalyticweb[.]com

54.37.104[.]106

remotepx[.]net

85.204.124[.]77

vsnet[.]co

46.21.147[.]76

hp-apps[.]com

185.86.149[.]116

jflynci[.]com

185.86.151[.]104

peacefund[.]eu

185.183.107[.]40

elaxo[.]org

86.106.131[.]54

oiagives[.]com

162.208.10[.]66

UNKNOWN

93.113.131[.]103

webstp[.]com

185.94.191[.]65

The report went on to map specific domains to specific LoJax samples. It also provided the following recent IP-to-domain mappings, which Netscout assesses with moderate confidence are LoJax C2 domains either in use today or that were set aside for future use:

Scanner Found IP

ASERT Researched Domain Mapping

Last Active

185.86.151[.]2

unigymboom[.]com

Current

169.239.128[.]133

ntpstatistics[.]com

Current

185.181.102[.]201

moldstream[.]md

Fall 2018

46.21.147[.]76

vsnet[.]co

Fall 2018

169.239.129[.]121

visualrates[.]com

Fall 2018

Both the ntpstatistics[.]com and unigymboom[.]com domains point to live control servers that can still be contacted by LoJax’s agents, Netscout researchers said.

The new findings suggest that the LoJax campaign remains active despite it coming to light. The above-linked Eset report provides a variety of indicators that people can use to determine if a computer is infected.